From 07eb60d07ff250ad726a2a45c0320e37d91fad7a Mon Sep 17 00:00:00 2001
From: Zach Riggle <riggle@google.com>
Date: Tue, 29 Nov 2016 10:48:52 -0700
Subject: [PATCH] Add 'system' option for ssh.process to pass to "sh -c"

---
 pwnlib/tubes/ssh.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/pwnlib/tubes/ssh.py b/pwnlib/tubes/ssh.py
index 8f4cd364e..c85e43c4f 100644
--- a/pwnlib/tubes/ssh.py
+++ b/pwnlib/tubes/ssh.py
@@ -623,7 +623,8 @@ def shell(self, shell = None, tty = True, timeout = Timeout.default):
         return self.run(shell, tty, timeout = timeout)
 
     def process(self, argv=None, executable=None, tty=True, cwd=None, env=None, timeout=Timeout.default, run=True,
-                stdin=0, stdout=1, stderr=2, preexec_fn=None, preexec_args=[], raw=True, aslr=None, setuid=None):
+                stdin=0, stdout=1, stderr=2, preexec_fn=None, preexec_args=[], raw=True, aslr=None, setuid=None,
+                shell=False):
         r"""
         Executes a process on the remote server, in the same fashion
         as pwnlib.tubes.process.process.
@@ -680,6 +681,8 @@ def process(self, argv=None, executable=None, tty=True, cwd=None, env=None, time
                 See ``pwnlib.tubes.process.process`` for more information.
             setuid(bool):
                 See ``pwnlib.tubes.process.process`` for more information.
+            shell(bool):
+                Pass the command-line arguments to the shell.
 
         Returns:
             A new SSH channel, or a path to a script if ``run=False``.
@@ -737,6 +740,9 @@ def process(self, argv=None, executable=None, tty=True, cwd=None, env=None, time
             Traceback (most recent call last):
             ...
             NameError: global name 'bar' is not defined
+
+            >>> s.process('echo hello', shell=True).recvall()
+            'hello\n'
         """
         if not argv and not executable:
             self.error("Must specify argv or executable")
@@ -750,6 +756,11 @@ def process(self, argv=None, executable=None, tty=True, cwd=None, env=None, time
         if not isinstance(argv, (list, tuple)):
             self.error('argv must be a list or tuple')
 
+        if shell:
+            if len(argv) != 1:
+                self.error('Cannot provide more than 1 argument if shell=True')
+            argv = ['/bin/sh', '-c'] + argv
+
         # Python doesn't like when an arg in argv contains '\x00'
         # -> execve() arg 2 must contain only strings
         for i, arg in enumerate(argv):